A way to take out spammers? 3 banks process 95% of spam transactions

Payment processing could be the weak link in the spam money trail, according …

If you want to stop spam then going after the banks and payment processors that enable their lucrative trade may be your best bet, according to research performed by a team from the University of California-San Diego, the University of California-Berkeley, and the Budapest University of Technology and Economics. After examining millions of spam e-mails and spam Web sites—and making over 100 purchases from the sites advertised by the spammers—the research team found that just three banks were used to clear more than 95 percent of spam funds.

Follow the money

Rather than focus on filtering spam at mail gateways and taking down botnets responsible for sending countless billions of junk e-mails, the researchers decided to focus on the heart of the problem: money. Spammers send spam because sending spam makes them money. That money comes from the online purchases of the products the spam advertises: drugs, counterfeit software, and knock-off merchandise.

By examining the entire chain from spam receipt to delivery of goods, the researchers found that in spite of the huge diversity in spams received—which poses a substantial problem for filters—and the vast number of URLs and domains used to direct people to the shady online vendors, there weren't that many ways for money to get into the spammers' hands. The spammers themselves generally serve only as advertisers, separate from the affiliate networks that provide online storefronts to manufacturers and distributors. The affiliate networks provide all the relevant technology to the manufacturers: shopping carts, analytics, and billing systems. The cut the spammers take is significant, typically 30-50 percent.

The researchers visited the URLs spammers sent them, following their redirects until they reached an actual online store. Almost one billion URLs were received in spam, but these led to just 45 different affiliate networks. The researchers made 120 purchases from the different affiliate networks to track the actual money. 76 payments were authorized by the credit card networks, and of those, 56 payments completed. 49 products were actually delivered.

Find the bottlenecks

At every part of the process, bottlenecks, where the behind-the-scenes infrastructure was much less diverse than the spam itself, were identified. The Rustock botnet, for example, was responsible for about a third of all spam sent globally, with the result that killing just one botnet caused a substantial drop in global spam levels. However, there are many other botnets able to take its place, which makes it hard to defeat spam by going after botnets alone. Affiliate programs were relatively few, with just 45 identified, but efforts to take these down have proven difficult in the past.

Web hosting and domain registration also showed up as significant bottlenecks, with more than 60 percent of spam domain registrations dependent on five registrars, and 50 percent of DNS and Web hosting spread across a few dozen hosts. However, these bottlenecks also prove difficult to seal off; though many hosts and registrars want nothing to do with spam operations, there are many hundreds of companies offering such services, and the cost of switching to a new host or registrar if often minimal. Even if some hosts can be taken down, the spammers will switch.

However, when it comes to banking, the bottlenecks are far more severe, and switching is far more difficult. One bank alone was used to settle more than 60 percent of all transactions, and the top three banks—Azerigazbank in Azerbaijan, St Kitts & Nevis Anguilla National Bank in St Kitts &Nevis, and Norwegian-owned DnB Nord in Latvia—together accounted for more than 95 percent of all money paid to spam vendors. The implication is that many banks simply won't deal with spam outfits. Even when switching does occur, it's disruptive, with payment processors typically introducing delays of days or weeks for due diligence to be performed.

The Latvian bank's Norwegian owners say that the spam customers were inherited when they bought the bank, and claim that they have terminated their relationship with the spam affiliate programs.

Taking down botnets is good from a computer security perspective, but the long-term impact it has on spam is low. Going after hosts and registrars shows a similar story; it can be done, and has a short-term effect, but it's easy for the spammers to find alternative arrangements and bounce back.

But where those efforts have had only short-term success, work against the banking bottleneck may well prove more fruitful. If dealing with the handful of banks were made impossible—for example, if Western banks refused to settle certain kinds of credit card transactions with banks known to be spam-friendly, an approach already used in the US to block access to online gambling sites—it would severely diminish the ability for the spam vendors to get paid, sucking the cash out of the spam business. And given the time and complexity of setting up new merchant agreements, this might be one area where the good guys can move faster than the spammers. Killing spam won't be easy, but going after the money could be our best bet for an end to the junk mail menace.

After examining millions of spam e-mails and spam Web sites—and making over 100 purchases from the sites advertised by the spammers—the research team found that just three banks were used to clear more than 95 percent of spam funds...

...going after the money could be our best bet for an end to the junk mail menace.

WTF?!? It's taken people how many years to realize this?

I would have thought this was the most obvious first step towards tracking down spam in the (pathetic) history of tracking down spam.

I would have thought this was the most obvious first step towards tracking down spam in the (pathetic) history of tracking down spam.

You would have thought, but did you?

I think a lot of research was done in the past establishing the whole "spam chain". Also, a lot of people, for a long time, were more concerned with the email sent because it's not really the money that's an issue, it's the spam. So naturally, people were more fixated on the spam itself because it's a bit of an easier problem to solve.

Also, the relationship between the elements of the supply chain were shrouded in a bit of mystery, so before you can track money you have to track how everything's linked together. So yeah, it might have taken years.

However, since spam is ultimately supported by Westernmoney, it is perhaps more feasible to address this problemin the West as well. To wit, if U.S. issuing banks (i.e.,banks that provide credit cards to U.S. consumers) were torefuse to settle certain transactions (e.g., card-not-presenttransactions for a subset of Merchant Category Codes) withthe banks identiﬁed as supporting spam-advertised goods,then the underlying enterprise would be dramatically demonetized. Furthermore, it appears plausible that such a“ﬁnancial blacklist” could be updated very quickly (drivenby modest numbers of undercover buys, as in our study) andfar more rapidly than the turn-around time to acquire newbanking resources—a rare asymmetry favoring the anti-spamcommunity. Furthermore, for a subset of spam-advertisedgoods (regulated pharmaceuticals, brand replica products,and pirated software) there is a legal basis for enforcing sucha policy.

So basically, Visa could shutdown SPAM tomorrow if they felt like it at negligible cost using entirely legal methods.

I know people have dug out the info about the big three but it's still a bit sad that the article didn't include that info. Oh and the secondary take-away is that the credit companies need to be regulated to care but that should be unsurprising at this point.

I'm actually pretty surprised that the package delivery rate was ~40%. I wouldn't have thought it would have been anywhere near that high.

Enough disputed transactions and your merchant account gets cancelled. The delivery rate was more than 40%; 88% of purchases in which money actually changed hands resulted in goods arriving. In fact, true percentage may have been higher; the paper notes that some deliveries may have occurred after their leased postal address expired.

While I realize it can be difficult to tell them apart these days, but US banks aren't actually a part of the federal government.

True, but who do you think is going to make the list of blocked banks. I'm all for preventing spam, but I honestly get only a couple messages per month in my inbox anyway these days, with few false positives (except for GMail recently, which seems to have messed up their spam filters a bit). I wonder how many people would be stopped from making legitimate transactions by blocking these banks, and how much financial leverage someone might theoretically be able to wield by misusing or extending the coverage of said list.

Perhaps someone could go into more detail regarding how this has been applied to online gambling and what the results were.

So basically, Visa could shutdown SPAM tomorrow if they felt like it at negligible cost using entirely legal methods.

I can't speak to the other two banks (I Googled them and got little on the Azerigazbank while St. Kitts bank is small but is legit and the only bank in St. Kitts), but refusing transactions from DnB Nor bank would be a huge deal. It is the largest bank in Norway and is huge in Denmark, Lithuania, Estonia and Latvia. If Visa and Mastercard shut down the DnB Nor and DnB Nord networks (Nord is owned by Nor), this would prevent millions of northern and eastern Europeans from making legitimate credit card transactions.

So basically, Visa could shutdown SPAM tomorrow if they felt like it at negligible cost using entirely legal methods.

I can't speak to the other two banks (I Googled them and got little on the Azerigazbank while St. Kitts bank is small but is legit and the only bank in St. Kitts), but refusing transactions from DnB Nor bank would be a huge deal. It is the largest bank in Norway and is huge in Denmark, Lithuania, Estonia and Latvia. If Visa and Mastercard shut down the DnB Nor and DnB Nord networks (Nord is owned by Nor), this would prevent millions of northern and eastern Europeans from making legitimate credit card transactions.

They can be more selective than that; they could, for example, refuse card-not-present transactions with merchant category code 5912 (Drug Stores and Pharmacies).

refusing transactions from DnB Nor bank would be a huge deal. It is the largest bank in Norway and is huge in Denmark, Lithuania, Estonia and Latvia. If Visa and Mastercard shut down the DnB Nor and DnB Nord networks (Nord is owned by Nor), this would prevent millions of northern and eastern Europeans from making legitimate credit card transactions.

The mere threat of refusing transactions would cause them to stop their associations with spammers, no need to actually refuse transactions if the banks are legit. No civilized bank would risk being associated with illegal operations that represent only a very marginal amount (hopefully for them) of their business. If it's a sizable amount, then there is no doubt that the bank is not legit and should be investigated too.

I think the money trail is the best bet to beat spam. Since they get 30% or more on sales, it should also be easy to follow the money trail until the spammers' bank accounts to hit two targets with one stone, not just the web sites.

So basically, Visa could shutdown SPAM tomorrow if they felt like it at negligible cost using entirely legal methods.

I can't speak to the other two banks (I Googled them and got little on the Azerigazbank while St. Kitts bank is small but is legit and the only bank in St. Kitts), but refusing transactions from DnB Nor bank would be a huge deal. It is the largest bank in Norway and is huge in Denmark, Lithuania, Estonia and Latvia. If Visa and Mastercard shut down the DnB Nor and DnB Nord networks (Nord is owned by Nor), this would prevent millions of northern and eastern Europeans from making legitimate credit card transactions.

Stop doing business with the spammers and the machines get turned back on. Easy.

Well then we aren't dealing with three banks anymore. Someone at the credit card processors or the banks needs to go one by one through each merchant account and verify it is a legit business. This seems to be counter to the point of the article and several of the comments where shutting down 3 banks would be the solution.

I doubt that the banks look to associate with spammers, it is just that it is easy for someone who can show that they have incorporated and have a business address to set up a credit card processing account. Just like the mob set up fake businesses to launder money, the spammers can set up fake businesses too. It will take the banks real time money and effort to separate the spammers from the legit businesses, especially if local law enforcement doesn't care.

Well then we aren't dealing with three banks anymore. Someone at the credit card processors or the banks needs to go one by one through each merchant account and verify it is a legit business. This seems to be counter to the point of the article and several of the comments where shutting down 3 banks would be the solution.

I doubt that the banks look to associate with spammers, it is just that it is easy for someone who can show that they have incorporated and have a business address to set up a credit card processing account. Just like the mob set up fake businesses to launder money, the spammers can set up fake businesses too. It will take the banks real time money and effort to separate the spammers from the legit businesses, especially if local law enforcement doesn't care.

It would be relatively easy for a taskforce to make purchases systematically to determine which merchant accounts were spam accounts, and report that information to banks and credit card networks.

I think this is a case of "be careful what you wish for." The crack down on online poker is obnoxious at a minimum. How much control do you want the Feds to have?

The FBI/NSA/CIA has always had such control, since they already had the power to grab more power (or to secretly abuse rightful powers). That may be worse than the open abuse of power.

Now an abuser is always bad - for example relatives shouldn't have to worry whether the person is drunk or in a good mood. But there will always be one most-powerful authority that can't seem to resist enslaving one more man, or exploiting one more whore to control and humiliate.

One hypothetical remedy is openness. We are now experiencing a worldwide policy transformation in this direction through Soros & Friends, although I don't recall personally signing off on the plan (do you?). Ironically, they are not being totally open about it. Just *so* open to make sure it works, I guess...

As far as spam goes, safe lists solve everything. I don't know why they aren't used more. Probably just for that reason... They work!

How DARE they try to destroy the internet with more regulation! Spam blacklists are anti-innovation and will never work! What about free speech rights? This is censorship! This is imperialism! Draconian! Chilling effects...wah wah wah...

So basically, Visa could shutdown SPAM tomorrow if they felt like it at negligible cost using entirely legal methods.

I can't speak to the other two banks (I Googled them and got little on the Azerigazbank while St. Kitts bank is small but is legit and the only bank in St. Kitts), but refusing transactions from DnB Nor bank would be a huge deal. It is the largest bank in Norway and is huge in Denmark, Lithuania, Estonia and Latvia. If Visa and Mastercard shut down the DnB Nor and DnB Nord networks (Nord is owned by Nor), this would prevent millions of northern and eastern Europeans from making legitimate credit card transactions.

Stop doing business with the spammers and the machines get turned back on. Easy.

Yep. Let them know beforehand, just as a bit of fair play. Give them 20 minutes. If they want to play games, all their legitimate customers get to find out precisely why they can't bank today. Point the customers to alternative banking providers if necessary.

"Playing along" includes handing over ALL the relevant data. You want to interfere with commerce and telecommunications worldwide? Guess what, we know where you bank, and we will fuck you up.

Seal team 6 is for second offences. There will be no third offence. No, I'm not kidding. Fucking with the world's economy isn't funny.

I'm all for taking down the illicit banks (and yes, that's what they are, they're profiting off spam which costs the world how much?). But it needs to be a surgical strike. Start with the press -- make a big fuss in that country's national paper about what that bank is doing and how they're doing it, and what will happen if it doesn't cease in 168 hours (one week exactly). Followed by a note saying, if you use this bank, and your banking fails after that week, know that your bank chose the spammers' business over your own.

Then do it to the ones that haven't complied. How is this a bad plan?</Luis Guzman>

It would be relatively easy for a taskforce to make purchases systematically to determine which merchant accounts were spam accounts, and report that information to banks and credit card networks.

I think they could even make it a profit center, to a point. Kind of like setting up speed traps to boost traffic-violation 'revenue'... go after the big spam operations and/or their banks and assess huge penalties.

Of course many of the operations are in countries with shitty laws, but sooner or later some of that money has to touch civilization. In the long run, the goal is to make spamming uneconomical.

I realized many years ago that spam is advertising. I get it all the time in its physical form in my U.S. Post Office mailbox. Spam will never go away because it is only the shadier version of what every company, business, and Mom & Pop storefront do every day, which is advertise. Look for spam to ultimately be defended as a right of free speech in America.

How DARE they try to destroy the internet with more regulation! Spam blacklists are anti-innovation and will never work! What about free speech rights? This is censorship! This is imperialism! Draconian! Chilling effects...wah wah wah...

So basically, Visa could shutdown SPAM tomorrow if they felt like it at negligible cost using entirely legal methods.

I can't speak to the other two banks (I Googled them and got little on the Azerigazbank while St. Kitts bank is small but is legit and the only bank in St. Kitts), but refusing transactions from DnB Nor bank would be a huge deal. It is the largest bank in Norway and is huge in Denmark, Lithuania, Estonia and Latvia. If Visa and Mastercard shut down the DnB Nor and DnB Nord networks (Nord is owned by Nor), this would prevent millions of northern and eastern Europeans from making legitimate credit card transactions.

They can be more selective than that; they could, for example, refuse card-not-present transactions with merchant category code 5912 (Drug Stores and Pharmacies).

I think what everyone is missing, and i was not aware of until now, is that 88% of the items ordered were delivered! I was under the impression that these were thieves!! They aren't thieves, they are shitty advertisers, but they are delivering a product that you ordered and paid for. I'm not sure that what they are doing is illegal in any court of law. Yes it sucks to get email that you didn't specifically want, but as someone already mentioned, we get all kinds of crap in the mailbox! I know that that the deliver of said mail is paid for, but these spammers are paying for the hosting and all that,

I guess I'm still stuck on the fact that the products ordered are being delivered. The steam for the whole argument was just let out..

It's sad that some of the people posting here have no idea of the amount of admin/server/bandwidth/electricity resources consumed (read: wasted) just to deal with spam. They have been shielded by their mail provider's filtering efforts and don't realize what work has been done behind the scenes on their behalf.